Are You and Your Data Ready for NYCRR 500 Regulations

On March 1st, 2017, the New York State Department of Financial Services put into effect new cyber security requirements of its ‘covered entities’. Those entities include banks, trusts, budget planners, check cashers, credit unions, money transmitters, licensed lenders, mortgage brokers or bankers, and insurance companies that do business in New York. Here is a quick overview on who’s affected and what the impact will be on those covered.

Who must comply with the Regulations?

“Covered Entities,” defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization [from the NYDFS] under the Banking Law, the Insurance Law or the Financial Services Law,” but exempt certain very small Entities—those with (1) fewer than 10 employees or independent contractors; (2) less than $5 million in gross annual revenue each of the past three fiscal years; or (3) less than $10 million in it and its affiliates’ GAAP year-end total assets.

When do the Regulations take effect?

Within the next 180 days (starting from March 1st 2017), organizations must ensure they have a comprehensive cyber security Program in place, supported by written and implemented cyber security Policies. They also need to limit user access privileges to Information Systems providing access to “Nonpublic Information”. Over the course of the next 12 months, full compliance with NYCRR 500 is mandatory, requiring the Chairperson of the Board or Senior Officer of the company is required to sign and file a Certificate of Compliance.

Covered Entities must file their first annual certifications with the NYDFS no later than February 15, 2018.

What do the Regulations require?

Cyber security Program

Organizations must implement and maintain a cyber security Program, lead by a Risk Assessment (discussed below).

Cyber security Policy

Organizations must adopt a written cyber security Policy. The cyber security policy must be strictly based on the Organization’s Risk Assessment (discussed below), approved by a senior officer (as defined) or the Entity’s board of directors and must address several cyber security considerations.

Monitoring, Penetration and Vulnerability Testing

The cyber security Program for each organization must include a program of ongoing monitoring and testing, developed in accordance with the Organization’s Risk Assessment (discussed below),

demonstrate the effectiveness of the Entity’s cyber security Program. This monitoring and testing regime must include either (1) continuous monitoring or (2) periodic penetration testing.

Risk Assessment

Each organization must undertake a periodic Risk Assessment to reassess the cyber security risks inherent in its business operations, including its information systems and the nonpublic information it collects and stores. Organizations must undertake Risk Assessments with sufficient frequency to ensure that other provisions of their cyber security Plans remain in compliance with the Regulations.

Chief Information Security Officer

Each Organization must designate a Chief Information Security Officer (CISO) responsible for overseeing and implementing the institution’s cyber security Program and enforcing its cyber security Policy. The CISO must report to the Entity’s Board of Directors, at least twice annually, on a list of prescribed matters.

Third-Party Service Provider Security Policy

Each organization must have in place policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties.

Reporting Requirements

Organizations are required to report to the Department of Financial Services (DFS) under certain strictly defined circumstances and time frames.

Is there help?

There are many organizations out there that will offer services and programs to assist in getting affected organizations compliant. This will undoubtedly be a boon for some consulting companies while being a burden for covered entities. Here are some key considerations when choosing a partner to help with your NYCRR 500 compliance:

Does the partner understand the financial and insurance sectors and the cyber security concerns particular to each?

Does the partner have their own partnerships that can create the solution you need for NYCRR 500?

The financial impact of this regulation is something that a good partner can help with, be sure to ask if they can provide some or all of this work as part of a managed service solution.

Partners who are among the best at this sort of solution have a clear approach with predefined and prescription-based plans of attack, be sure to ask how they’ll take on this compliance task.

Ben Thurston @BThurstonCPTECH

Ben is the Director of the Cyber Security Practice at CTI. He is responsible for all the security solutions and services that CTI provides to their clients. These include risk assessments, incident response, data security and CTI’s managed SIEM which is a simple but powerful, agent-based appliance solution.